Latest News

Why dual use of work and personal devices could be putting your data at risk, cyber experts warn

Written by, Stephen Leach, Detective Inspector and Head of Business Development at NEBRC

In the modern world, technology and apps are essential for HR pros to effectively support successful organisations. There’s no getting away from it, a digital footprint is going to happen with apps now available across all business disciplines to help make work easier and more efficient. From HR and logistics related apps, to social networking and collaboration.

Whilst this technology is propelling businesses forward and bringing efficiencies, it also comes with risks. Some apps have more data on users than others, meaning that if devices become compromised through cyber attacks, criminals will have access to more information on your employees and even a window into the business.

That’s why NEBRC, a police-led non-profit which supports small businesses with cyber security, has analysed the privacy policies of the 50 most popular free business apps. The apps were ranked by counting the number of data segments collated or used by the app, to find out which have the most personal and behavioural data on users.

Stephen said,

“You might think your security policies are water tight but, your employee’s device use could leave you more exposed than you realise! Many employees will use work devices for personal tasks, adding things like their own email and social media accounts to it, as well as making online purchases. This exposes work devices to threats which might not be accounted for in business cybersecurity policies and best practice.

The opposite can also put your business at risk. Using a personal device to access work files, apps and accounts could leave huge amounts of business data exposed due to poor personal device security. Whilst work devices are often tightly managed, restricting the user’s actions to those authorised by IT, personal devices have no such restriction, and may not be as secure. Information may be harvested by apps, stolen by malware, or seen by someone who is unauthorised but has physical access to the device.”

Meta Business Suite, LinkedIn and Uber are the work apps that consume the most data segments from users. The most common type of data they hold is contact information such as name and email address, alongside user content which includes things like photos, video, audio and other similar types of information.

Social media and marketing apps tend to have the most data on users, having on average 29 different data segments. This is almost four times more than security based apps and three times as many as file sharing/collaboration apps or HR related apps, which utilise 7, 8 and 9 data segments respectively.

15 works apps which use the most personal data

(App name = number of data segments used by the app)

1. Meta Business Suite = 32
2. LinkedIn = 25
3. Uber = 21
4. Indeed Flexm = 21
5. Reed.co.uk = 20
6. Whatsapp Business = 19
7. Google Chat = 19
8. Amazon Flex = 18
9. Shopify = 18
10. TotalJobs = 18
11. Microsoft Teams = 15
12. Zoom = 15
13. Slack = 14
14. Deliveroo driver = 14
15. Indeed Job Search = 13

Whilst Apple does provide layers of protection designed to ensure that apps are free of known malware and haven’t been tampered with3, no digital activity can ever be zero risk. You can’t control the threats to apps themselves but, you can look at your own internal policies and behaviour to make your cybersecurity as safe as possible.

Infact, the one of biggest risks to your business when it comes to cyber threats is employee negligence4. Poor password management is one of the leading causes of cyber breaches in the UK, with some of the most hacked passwords being things like 123456 and qwerty5.

To lessen the risk of data vulnerabilities though employee app use across dual purpose devices, Stephen recommends,

1. Use password manager – These allow you to securely store complex and unique passwords for each of your accounts, removing the need to remember each of them individually. All you have to do is remember one “master password” which provides you access to your password vault. They also often integrate with web browsers.

2. Use secure passwords – Passwords should be suitably complex so that they cannot be easily guessed by threat actors. This means not including any personal information or patterns, such as 123. Generally, the longer a password is, the more secure it is. NCSC’s Three Random Words will help you create secure memorable passwords.

3. Enable multi-factor authentication – Enabling MFA adds another layer of security to your accounts and can nullify attempts at account access, even if the threat actor knows your username and password! MFA usually presents itself in the form of a code sent via text or app, which you must provide when logging into an account. This code is a lot harder for somebody to obtain when compared with your account credentials.

4. Keep work and personal devices and app use separate – Keeping these separate helps ensure that confidential data stays confidential. Personal devices do not have any restrictions, and are often used for a myriad of purposes. Information pertaining to work cannot be harvested by apps on personal devices if that information is not accessible through that device.

5. Checking all apps used for work are fit for purpose – Apps installed on work devices should be authorised by the relevant persons and have a work purpose. Suitable apps will differ from business to business, and most will control which apps can be installed on work devices.

To learn more about cybersecurity for your business and access training resources visit the North East Business Resilience Centre’s website.